ES7.4 returns unsupported symbol in geohash

Elastic Stack Elasticsearch
1

Mapping defined as this:

  "source": {
    "properties": {
      "address": {
        "type": "keyword",
        "fields": {
          "text": { "type" : "text" }
        }
      },
      "ip": { "type": "ip" },
      "port": { "type": "long" },
      "bytes": { "type": "long" },
      "geo": {
        "properties": {
          "city_name": { "type": "keyword" },
          "country_name": { "type": "keyword" },
          "continent_code": { "type" : "keyword" },
          "location": { "type": "geo_point" }
        }
      },
      "as": {
        "properties": {
          "number": { "type": "long" },
          "organization": {
            "properties": {
              "name": { "type": "keyword" }
            }
          }
        }
      }
    }

Errors received when ingesting data:

[2019-11-03T23:26:36,449][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"esxi_network-2019.11.02", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x88ada96>], :response=>{"index"=>{"_index"=>"esxi_network-2019.11.02", "_type"=>"_doc", "_id"=>"2BNgM24BZDNolIqijqjw", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.geo.location] of type [geo_point]", "caused_by"=>{"type"=>"parse_exception", "reason"=>"unsupported symbol [.] in geohash [12.5341]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"unsupported symbol [.] in geohash [12.5341]"}}}}}}
[2019-11-03T23:26:36,449][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"esxi_network-2019.11.02", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0xeddc1fc>], :response=>{"index"=>{"_index"=>"esxi_network-2019.11.02", "_type"=>"_doc", "_id"=>"2RNgM24BZDNolIqijqjw", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.geo.location] of type [geo_point]", "caused_by"=>{"type"=>"parse_exception", "reason"=>"unsupported symbol [-] in geohash [-78.3715]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"unsupported symbol [-] in geohash [-78.3715]"}}}}}}

Sample of data entry:

 ...
"source" => {
    "geo" => {
         "city_name" => "São Paulo",
      "country_name" => "Brazil",
    "continent_code" => "SA",
          "location" => [
        [0] "-46.6417",
        [1] "-23.5733"
    ]
},
     "as" => {
          "number" => "28666",
    "organization" => {
        "name" => "HOSTLOCATION LTDA"
    }
},
...

data is picked from geoip lookups like this:

 geoip {
   default_database_type => 'City'
   database => '/usr/share/GeoIP2/GeoLite2-City.mmdb'
   cache_size => 5000
   source => '[source][ip]'
   target => '[@metadata][geo]'
   fields => ['city_name','continent_code','country_name','latitude','longitude']
   add_field => [
     '[source][geo][city_name]', '%{[@metadata][geo][city_name]}',
     '[source][geo][country_name]', '%{[@metadata][geo][country_name]}',
     '[source][geo][continent_code]', '%{[@metadata][geo][continent_code]}',
     '[source][geo][location]', '%{[@metadata][geo][longitude]}',
     '[source][geo][location]', '%{[@metadata][geo][latitude]}'
   ]
   remove_field => ['[@metadata][geo]']
 }
 # sometimes city still is unknown on successful lookups
 if [source][geo][city_name] == '%{[@metadata][geo][city_name]}' {
   mutate { remove_field => ['[source][geo][city_name]'] }
 }

TIA for any hints as to what I might be doing wrong!

2

Seem if I do this then it ingests fine :wink:

mutate { convert => { '[source][geo][location]' => 'float' } }
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.